[INFO] Everything about Android "Master Key" Vulnerability

Adam77Root

Inactive Recognized Developer
Jul 3, 2012
2,535
11,160
203
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
 

Attachments

biopsin

Senior Member
Nov 2, 2010
423
98
0
oslo
sub-frequency.me
regarding cm10

Hi, I´m trying to port this patch to cm10 and I have adapted all except where there was difference in patch vs cm10

Patch
- if-ge v10, v13, :cond_6
+ if-ge v11, v14, :cond_7

I have
- if-ge v10, v13, :cond_118
+ if-ge v11, v14, :cond_119 ??
How do I interpret the :cond_value, do I up it to the next nr.? thats what I did but this bootloops on me with..
Code:
W/dalvikvm( 4219): VFY: copy1 v0<-v24 type=22 cat=3
W/dalvikvm( 4219): VFY:  rejecting opcode 0x08 at 0x0021
W/dalvikvm( 4219): VFY:  rejected Ljava/util/zip/ZipFile;.readCentralDir ()V
W/dalvikvm( 4219): Verifier rejected class Ljava/util/zip/ZipFile;
D/AndroidRuntime( 4219): Shutting down VM
W/dalvikvm( 4219): threadid=1: thread exiting with uncaught exception (group=0x4119d300)
I will go over my editing incase of human error..

EDIT: seems I figured it out..booting now - OK there was another tiny difference between cm10 and cm10.1.1 where cm10 has
.method private readCentralDir()V
.registers 25 -> instead of .locals 24
Tested with Bluebox Secury Scanner and it reports Patched! Exellent Thanks for the diff..
 
Last edited:
  • Like
Reactions: wargear

edwin270

Senior Member
May 2, 2010
243
142
0
Tema
www.edsysinc.webs.com
It works on any rom. AFAIK oy Sense has changes in core.jar, but those are also just additions and not deep changes.

Sent from my LG-P880
And MIUI based Rom? Going through it's app permission it seems to have a very strict rules when it comes to apps even installed from the market.

Guess will have to try. Right?

Sent from my SGH-T959 using xda premium
 
Last edited:

md2020

Member
Dec 6, 2004
10
0
0
Better solution

Here the fast fix attempts to simply close the duplicate file exploit (what this essential is during the zip/unzip process), a better solution would be to modify the OS to use a TDE (Transparent Data Encryption) method, which would be simple enough to insure very low overhead, example would be a simple rotating, key, subkey column method.

What will happen now and is, would be the generations of common or desiable applications that have been compromised, where the target assumes it is a "Real Deal" and it simply looks and feels like the Real Deal but would essential work on that exploited victim's system like some notorious rootkit.
md2020

Or maybe not, thanks for the thread (brought up memories of MD5 tunneling and other fast indirect means of circumvention)
 

Ricky Divjakovski

Recognized Developer / Recognized Contributor
Feb 4, 2013
5,214
7,598
263
25
Sydney
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
hes right, vulnurabilty is black ad white the way @saurik explains it.
didnt suprise me he found it either, guys a master of java as we all know about his iOS exploits and Cydia package
 

Vagelis1608

Senior Member
Sep 16, 2012
2,173
841
193
Athens
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
Here is a fix:
http://forum.xda-developers.com/showthread.php?t=2365294

Sent from my GT-I5500 [Newly flashed CM10.1]
 

paco9432

Member
Dec 15, 2013
22
5
0
How to apply the fix

I appreciate this...

But how can I apply this fix, by the way I don't have any special ROM

Could you point me in the right direction please... ;)
 

Vagelis1608

Senior Member
Sep 16, 2012
2,173
841
193
Athens
Here is a fix:
http://forum.xda-developers.com/showthread.php?t=2365294

Sent from my GT-I5500 [Newly flashed CM10.1]
I appreciate this...

But how can I apply this fix, by the way I don't have any special ROM

Could you point me in the right direction please... ;)
Just follow the installation steps at the #1 post of the topic I provided ([URL="http://forum.xda-developers.com/showthread.php?t=2365294" ]this[/URL])

If you need any more help just sent me a pm.

Sent from my GT-I5500 [CM11]
 
Last edited: